UAE used ‘Karma’ hack tool to spy on iPhone photos, texts, and more

The barrage of bad news for the iPhone keeps coming.

Reuters has published a semi-worrisome report about how a team of former U.S. intelligence agents working for the UAE used a cyber tool called Karma to spy on iPhones used by “activists, diplomats and rival foreign leaders” simply by “uploading phone numbers or email accounts into an automated targeting system.”

Karma reportedly allowed the UAE to “monitor hundreds of targets beginning in 2016, from the Emir of Qatar and a senior Turkish official to a Nobel Peace laureate human-rights activist in Yemen.”

The spying tool, purchased by the UAE from an unnamed vendor, is described as seemingly easy to use and works in conjunction with a security hole that can be exploited within iOS, the software which the iPhone runs. 

The tool is said to only work on iPhones and not Android devices, and takes advantage of a security flaw within iMessage. According to the former operatives, the exploit injected malware through the messaging platform to “establish a connection with the device”. Karma is then used to send a text message to the target iPhone to gain access to private data stored on it.

Per Reuters:

“In 2016 and 2017, Karma was used to obtain photos, emails, text messages and location information from targets’ iPhones. The technique also helped the hackers harvest saved passwords, which could be used for other intrusions.”

One thing Karma can’t do is intercept phone calls, according to the operatives who spoke with Reuters.

Though several former operatives told Reuters software updates released by the end of 2017 reduced the effectiveness of the spying tool, it’s unclear if the vulnerability has been fully closed by Apple. 

Mashable has reached out to Apple for comment. We will update this story if and when Apple provides a response.

Privacy is a never-ending cat-and-mouse game

The report comes on the heels of weeks of Apple being forced to on the defense as investors assess concerns on the overall health of the iPhone as a result of missed quarterly revenue and flat sales caused from a variety of factors such as increased retail prices, trade war challenges between the U.S. and China, and a higher-than-normal battery replacements.

Additionally, Apple’s been forced into damage control after a bombshell report revealed a major FaceTime bug allowed users to spy on a caller. Apple quickly crippled the ability to make Group FaceTime calls as it scrambles to patch the bug, but the damage will no doubt have long-lasting effects not immediately felt.

As much as Apple’s trumpeted how much it values and prioritizes privacy — the company even went so far as to throw shade at the entire tech industry’s weak stance on the matter with a massive, prominently-placed billboard at CES 2019 (a tech show it doesn’t have any official presence at) — even it’s not impervious to slip-ups.

“It’s becoming clearer every time stories on tools such as Karma surface that the cat-and-mouse game between device makers and hackers will be a never-ending one.”

Cyber tools such as Karma are nothing new and though their discoveries can be surprising and alarmist, it’s important to remember no device or platform is (or will ever be) airtight safe. Previously discovered hacking tools like GrayKey allowed law enforcement to snoop on iPhones. Apple has patched all security exploits that have been made public. 

While iPhones are still far more secure than Android phones, it’s becoming clearer every time stories on tools such as Karma surface that the cat and mouse game between device makers and hackers will be a never-ending one. Moreover, software exploits may become easier for larger companies like Apple to miss as the number of active devices grows. Oversight is always a possibility and it’s not going to become any easier now that Apple’s got over 900 million iPhones out in the wild to consider when developing software updates.

The best way to combat potential hacking is to make sure your device (iPhone or not) is updated to the latest software version. New updates typically include security patches that close vulnerabilities.   Device performance and stability for Android devices depends on its specific maker, but at least for iPhones, compatible devices need not worry about the latest iOS 12 slowing them down. As our editors Chris Taylor and Stan Schroeder discovered, iOS 12 gave their iPhone and iPads new life by making them faster thanks to several built-in chipset optimizations.

So get updating if you’ve been putting it off. It’s the best defense anyone can all take. That, or don’t use any internet-connected device.